From 8685d12996a01f20e06d6bf9bdc8cc0415802b39 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Fri, 10 Oct 2025 19:15:21 +0200 Subject: [PATCH] [PR #10893/14a858fd backport][stable-11] random_string: replace random.SystemRandom() with secrets.SystemRandom() (#10894) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit random_string: replace random.SystemRandom() with secrets.SystemRandom() (#10893) * random_string: replace random.SystemRandom() with secrets.SystemRandom() * add the forgotten blank line * Update changelogs/fragments/replace-random-with-secrets.yml * readd the description * Update changelogs/fragments/replace-random-with-secrets.yml --------- (cherry picked from commit 14a858fd9c66b1630ca54394daa80a74e547269d) Signed-off-by: Thomas Sjögren Co-authored-by: Thomas Sjögren Co-authored-by: Felix Fontein --- changelogs/fragments/replace-random-with-secrets.yml | 4 ++++ plugins/lookup/random_string.py | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/replace-random-with-secrets.yml diff --git a/changelogs/fragments/replace-random-with-secrets.yml b/changelogs/fragments/replace-random-with-secrets.yml new file mode 100644 index 0000000000..b82e59e7e9 --- /dev/null +++ b/changelogs/fragments/replace-random-with-secrets.yml @@ -0,0 +1,4 @@ +bugfixes: + - random_string lookup plugin - replace ``random.SystemRandom()`` with ``secrets.SystemRandom()`` when + generating strings. This has no practical effect, as both are the same + (https://github.com/ansible-collections/community.general/pull/10893). diff --git a/plugins/lookup/random_string.py b/plugins/lookup/random_string.py index 881c13dab6..c74713fecc 100644 --- a/plugins/lookup/random_string.py +++ b/plugins/lookup/random_string.py @@ -16,7 +16,7 @@ short_description: Generates random string version_added: '3.2.0' description: - Generates random string based upon the given constraints. - - Uses L(random.SystemRandom,https://docs.python.org/3/library/random.html#random.SystemRandom), so should be strong enough + - Uses L(secrets.SystemRandom,https://docs.python.org/3/library/secrets.html#secrets.SystemRandom), so should be strong enough for cryptographic purposes. options: length: @@ -169,6 +169,7 @@ _raw: import base64 import random +import secrets import string from ansible.errors import AnsibleLookupError @@ -209,7 +210,7 @@ class LookupModule(LookupBase): seed = self.get_option("seed") if seed is None: - random_generator = random.SystemRandom() + random_generator = secrets.SystemRandom() else: random_generator = random.Random(seed)